John Morello, CTO and Co-Founder at Minimus discusses the evolution of IT management and DevSecOps in this catch-up with CIO Influence:
___________
Hi John, tell us about yourself and your role at Minimus.
Iโm John Morello, CTO and Co-Founder at Minimus.ย Previously I was the CTO at Twistlock and (VP Product for Prisma Cloud) at Palo Alto Networks.ย I lead our product and solutions architecture groups – ensuring that weโre partnering effectively with our customers on their container security.
Take us through some of Minimus’s recent innovations in brief.
Minimus launched less than 90 days ago at RSA – bringing our hardened, minimal container solution to market.ย Unlike your traditional container images from DockerHub and similar public sources, Minimus images contain 95% fewer vulnerabilities – vastly reducing the risk posture of customersโ container environments.
Also Read:ย CIO Influence Interview with Dipto Chakravarty, Chief Product and Technology Officer at Black Duck
What are some of the top trends around container security that you’d like to highlight for security teams and CISOs?
I think weโre seeing an overall trend towards hardening – both with hardened images (like what we do at Minimus) but also with hardened runtimes – focusing on building more secure-by-design environments for container executions. Itโs no longer enough to layer on security after the fact, but rather the trend is now to use the advantages of containers themselves to build in stronger protection at every layer of the stack
How are you seeing AI impact the DevSecOps space and in what ways will DevSecOps processes change in future with more use of AI?
AI coding tools like Cursor and GitHub Copilot allow developers to ship code significantly faster – but itโs vital that DevSecOps teams maintain appropriate guardrails – checking for risks in third party dependencies pulled in by AI agents, scanning AI-generated first-party code for novel vulnerabilities, and more.ย DevSecOps is going to need to evolve to be more integrated even earlier into the development workflow – by helping to create safeguards on AI use, and integrating security checks into agents and IDEs both.
What tips would you share with tech and IT teams to better align security and engineering workflows with reduced conflicts?
The biggest tip is to not stop at โshift leftโ.ย A lot of misalignment between security and engineering comes when a โshift leftโ security tool easily integrates into a CI/CD pipeline, but then throws up thousands of alerts on every build.ย Proper integration of security and development has to be seamless in four ways:
- How tooling is integrated into development pipelines
- Use of minimalistic, secure by default, artifacts that significantly reduce the number of vulnerabilities you start with
- How alerts are triaged and prioritized for remediation
- How remediation is verified by follow-up scanning
Without focusing on each of these – security and engineering will continue to be in conflict.
Five best practices you’d share with every CIO and CISO?
- Be skeptical of the hype. Everyoneโs touting their AI claims – but make sure that youโre evaluating the impact AI will have not just on your teams, but on your risk posture
- Secure by design is a must – with AI-enabled coding, understanding security and compliance needs upfront is even more essential to avoid significant rework or prompting later in the development process.
- Focus on reducing your attack surface.ย The number of vulnerabilities, active exploits, and other threats just keeps growing – and an attacker only needs to be right once.ย Youโll see the biggest impact to your risk posture by reducing attack pathways vs. playing an unending game of CVE whack-a-mole
- Align on incentives.ย Appsec is motivated by reducing CVEs in code, developers are motivated to ship faster.ย Make sure that youโre working with engineering leadership to align on how these competing motives are balanced.
- Share what works. Thereโs a reason 85%+ of software is open source; the power of the community has built best-in-breed web servers, databases, and more.ย Sharing security best practices across organizations helps us all benefit.
Also Read:ย Scott Holden Joins Vanta as Chief Marketing Officer
[To share your insights with us as part of editorial or sponsored content, please write toย psen@itechseries.com]
John Morello is the CTO and Co-Founder of Minimus. Minimus helps organizations avoid 95% of vulnerabilities in their cloud apps by providing secure, minimalistic software images.
Previously, he was the CTO of Twistlock and helped take the company to over 400 customers, including 45% of the Fortune 100, and a $.5B exit to Palo Alto Networks where he served as VP of Product for Prisma Cloud. John holds multiple cybersecurity patents and is the author of NIST SP 800-190, the Container Security Guide.
Prior to Twistlock, he was the CISO of an S&P 500 global chemical company. Before that, he spent 14 years at Microsoft where he worked on security technologies in Windows and Azure and consulted on security projects across the DoD, intelligence community, and at the White House.
John graduated summa cum laude from LSU and lives in Baton Rouge with his wife and two sons. A lifelong outdoorsman and NAUI Master Diver and Rescue Diver, he’s former board chair of the Coalition to Restore Coastal Louisiana and current board member of the Coastal Conservation Association.
Founded in October 2022 by Ben Bernstein, Dima Stopel, and John Morello, Minimus radically reduces cloud software vulnerabilities. As the pioneers of container security with Twistlock and author of NIST SP 800-190, Minimus solves the endless treadmill of cloud software vulnerabilities by simply preventing 95% of them from ever existing.
Minimus builds images from scratch, directly from upstream project sources, with only the minimal software needed to run the app, dramatically reducing their attack surface. Minimus images are drop-in replacements for the apps organizations are already using and are deployed with single line configuration file changes, providing nearly instant time to value. Minimus eliminates time consuming and low value remediation work for devs, is easy for ops to deploy and manage using their existing tools, and provides security with remarkably clear risk reduction. Minimus raised a $51M seed round from YL Ventures and Mayfield.
